On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation. This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece.

The decision of the HDPA was issued following a complaint filed by civil nonprofit organization Homo Digitalis on behalf of a data subject, alleging that Clearview failed to address the data subject’s right to access her personal data processed by Clearview AI.

Complaints for alleged violations of the GDPR have already been lodged against Clearview AI before by the data protection authorities of Austria, France, Italy and the U.K. On these grounds, the U.K. and Italy’s DPAs, the Information Commissioner’s Office and the Garante, respectively, imposed fines, whereas France’s DPA, the Commission nationale de l'informatique et des libertés, and Austria’s Data Protection Authority are both expected to adopt a similar decision on Clearview AI.

In the case before the HDPA, the data subject emailed Clearview AI to request her personal data, which the company had processed in the context of its services. In response to this request, Clearview AI acknowledged receipt of the request on the same day but never took action to address it. In fact, in a subsequent communication with the data subject, Clearview AI claimed it never received the request and instead requested a photograph of the data subject for her immediate identification as precondition to address the request.

After holding a formal investigation, the HDPA found that Clearview AI provides its users with services for the facial recognition of natural persons through its online platform. In particular, the DPA arrived at the following findings:

• Clearview AI initially collects photos and videos posted on the internet that depict facial characteristics of natural persons. From this audiovisual media, further information is extracted and collected (such as metadata of geolocation and data on the person's appearance) and their source link is stored.
• Each photo or video is then connected to a numerical sequence known as a vector, readable by Clearview AI's search engine, which is used to execute the service provided.
• The vectors are stored in Clearview AI’s database where they are subdivided and form part of a list of search results for future use.
• In order to take advantage of the services provided, the users of the platform upload an image of the person they wish to identify. The posted photo or video is linked to a relevant vector, which is then compared to the vectors already stored at Clearview AI's database.
• Finally, a list of results is extracted that includes all the vectors that possibly correspond to the vector generated from the user's uploaded image or video.
• By extracting this list, Clearview AI can connect all images with their corresponding vector, as well as with their source code.

According to the HDPA, this practice constituted automated processing of personal data to build a database of data subject profiles so users can search and identify respective individuals.

In the light of these findings, the HDPA sent a letter to Clearview AI requesting it identify its representative within the European Economic Area and, after giving notice about the complaint, ordered the company to provide information on its personal data processing activities regarding Greek citizens. In response, Clearview AI claimed it does not fall under the territorial scope of the GDPR and is, therefore, not bound by its requirements.

At the same time, Clearview AI claimed its services are addressed exclusively to law enforcement authorities with the objective of identifying individuals through image projection, without any systematic monitoring of data subjects actually taking place. In addition, it stated no inference engine is used in processing.

In response to Clearview AI’s claims it does not fall under the GDPR, the HDPA ruled that, according to the targeting criterion, Clearview is bound by the obligations of the regulation. In particular, the HDPA considered Clearview AI had a specific intention to collect and process personal data in order to conduct profiling and monitor behaviors of data subjects. As highlighted by the HDPA, Clearview’s use of profiling techniques constitutes in itself an act of targeting data subjects residing in the European Union, triggering application of the provisions of the GDPR.

Therefore, in line with Article 27 of the GDPR, the HDPA ruled that Clearview AI was obliged to designate a representative established within the EEA.

In addition and in compliance with the requirements of the cooperation mechanism, the HDPA ruled that the targeting criterion also establishes its competence to monitor GDPR compliance within its territory. Therefore, the HDPA held that the under Article 60 of the GDPR regarding compliance with the provisions of the GDPR by Clearview AI within the geographical boundaries of Greece was lawfully initiated.

The HDPA initially considered that the data gathered from images and stored and processed by Clearview constitutes biometric data beyond any doubt, as described in Article 4(14) of the GDPR. Furthermore, they deemed that the critical processing does not concern a simple collection of data, but rather results in the transformation of the photographs collected into biometric data, which shall be processed under the strictest provisions of Article 9 of the GDPR.

In addition, the HDPA considered that, even though the images were made public by the data subjects themselves, personal data under examination is protected under the GDPR. In particular, through the online publication of their photographs, data subjects do not have reasonable expectations that these will be further processed in the manner under investigation. This conclusion was also strengthened by the fact that the processing carried out by Clearview AI lacks any legal basis.

To sum, the HDPA established that Clearview AI violated the following provisions of the GDPR:

• Violation of the provision of Article 27 GDPR due to failure to comply with the obligation to designate a representative within the EEA.
• Violation of the provisions of GDPR Articles 5(1)(a), 6 and 9 due to failure to comply with the principle of the lawfulness of processing.
• Violation of the provision of GDPR Article 14 due to failure to comply with the principle of transparency and the right to inform data subjects.
• Finally, the violation of the right of access of the data subject represented by Homo Digitalis, since Clearview AI failed to address her relevant request.

In view of the above, the HDPA imposed on Clearview AI the largest fine it has ever imposed in its history of operation, amounting to 20 million euros. In addition, in order to safeguard the fundamental rights of data subjects residing within the Greek territory, the HDPA ordered Clearview AI to delete all data on Greek data subjects and prohibited any further processing of such data.

The decision of the HDPA aligns with decisions of other supervisory authorities on Clearview AI. According to the decision, providers (such as Clearview AI) operating on a global scale, which fulfill the targeting criterion, fall within the scope of the GDPR and may be subject to severe sanctions across the EU if they continue to process personal data of EU residents without complying with the data protection guarantees of the GDPR.